InsiderLens

Privacy Policy

This page describes how Nexlens Holding Limited (in incorporation)("we") processes personal data on InsiderLens.

1. Data Controller

Nexlens Holding Limited (in incorporation)
26, The Forum Office, Triq L-Uqija, Swieqi, SWQ 2335, Malta
DPO / privacy contact : privacy@insiderlens.com

2. Data We Collect

2.1 When you visit (anonymous)

  • Minimal server logs : truncated IP (/24 v4 or /48 v6), user-agent, requested URL, HTTP status, timestamp
  • Session cookie il_session (see cookies) — only when signed in

2.2 When you create an account

  • Email (unique identifier)
  • Preferred language (FR / EN)
  • Subscription tier (Free by default)
  • Session history : date, truncated IP, truncated user-agent, last activity
  • Magic-link tokens — stored only as SHA-256 hashes server-side

2.3 When you use the product

  • Watchlist : followed issuers and notification preferences
  • Alerts sent : dispatch log (date, status, recipient)

3. Lawful Basis and Purposes

PurposeLawful basisRetention
Service provision (account, watchlist, alerts)Contract (Art. 6(1)(b) GDPR)Account lifetime + 30 days
Security (fraud detection, anti-abuse)Legitimate interest (Art. 6(1)(f))90 days (truncated logs)
Billing (when applicable)Legal obligation + contract10 years (Maltese tax law)
Marketing (newsletter, opt-in only)Consent (Art. 6(1)(a))Until withdrawal

4. Recipients and Processors

We share personal data with the following processors :

  • Hetzner Online GmbH, Gunzenhausen, Germany (EU/EEA) — server hosting, data stored in EU/EEA
  • Cloudflare, Inc., San Francisco, CA, USA — content delivery and DDoS protection (USA ; transfer governed by the European Commission's Standard Contractual Clauses)
  • Resend Labs, Inc., San Francisco, CA, USA — transactional email delivery (USA ; SCC)
  • Cloudflare R2 (Cloudflare, Inc., San Francisco, CA, USA) — raw regulatory document storage (USA ; SCC)

We never sell or rent your personal data.

5. International Transfers

Some of our processors (Cloudflare, Resend) are USA-based. Transfers are governed by Standard Contractual Clauses and, where applicable, Data Privacy Framework certifications. Copies of the SCCs are available on request at privacy@insiderlens.com.

6. Your Rights

You have the following rights :

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16)
  • Right to erasure (Art. 17) — "right to be forgotten"
  • Right to restriction (Art. 18)
  • Right to portability (Art. 20)
  • Right to object (Art. 21)
  • Right to withdraw consent at any time

To exercise these rights, write to privacy@insiderlens.com. We reply within 30 days. You may also lodge a complaint with Office of the Information and Data Protection Commissioner (IDPC) (Malta) or the data protection authority of your country of residence.

7. Security

  • TLS 1.3 enforced on all connections
  • Passwords : not stored (magic-link authentication)
  • Session tokens and magic tokens : SHA-256 hashed at rest
  • AES-256 encrypted backups
  • DB access strictly scoped (SELECT-only role for the public site)

8. Third-Party Data (Reporting Insiders)

InsiderLens aggregates insider transactions published by financial regulators (SEC, FCA, AMF, BaFin, FI, AFM, HKEX, SGX, ASX). These contain personal data of reporting individuals (name, role, amounts). See our Insider Notice for details.

9. Changes

This policy may be updated. Material changes will be notified to signed-in users by email. Current version : v0.1 (draft, pre-launch) (2026-04-23).